First Malware Spotted Running Natively on M1 Macs
Posted February 18, 2021 at 1:25am by iClarified
Security researcher Patrick Wardle has found what may be the first malware to run natively on M1 Macs.
While working on updating his apps to run natively on Apple Silicon, Wardle wondered if malware developers were updating their apps as well.
As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.
After a hunt that he details in the blog post linked below, Wardle found GoSearch22.
The GoSearch22.app is an instance 'Pirrit' adware which persists a launch agent and installs itself as a malicious Safari extension. The code attempts to prevent debugging and tries to detect if it's running in a virtual machine.
"When users have apps like GoSearch22 installed on a browser and/or the operating system, they are forced to occasionally see coupons, banners, pop-up ads, surveys, and/or ads of other types. Quite often ads by apps like GoSearch22 are designed to promote dubious websites or even download and/or install unwanted apps by executing certain scripts. Moreover, adware-type apps like GoSearch22 tend to be designed to collect browsing data. For instance, details like IP addresses, addresses of visited web pages, entered search queries, geolocations, and other browsing-related information."
Notably, when the Wardle uploaded the separated binaries of GoSearch22 to VirusTotal, he found that detections of the arm64 version were about 15% lower than the x86_64 version. This means that some defensive security tools may not detect the malware targeting M1 users.
More details in the full report linked below...
Read More
While working on updating his apps to run natively on Apple Silicon, Wardle wondered if malware developers were updating their apps as well.
As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.
After a hunt that he details in the blog post linked below, Wardle found GoSearch22.
The GoSearch22.app is an instance 'Pirrit' adware which persists a launch agent and installs itself as a malicious Safari extension. The code attempts to prevent debugging and tries to detect if it's running in a virtual machine.
"When users have apps like GoSearch22 installed on a browser and/or the operating system, they are forced to occasionally see coupons, banners, pop-up ads, surveys, and/or ads of other types. Quite often ads by apps like GoSearch22 are designed to promote dubious websites or even download and/or install unwanted apps by executing certain scripts. Moreover, adware-type apps like GoSearch22 tend to be designed to collect browsing data. For instance, details like IP addresses, addresses of visited web pages, entered search queries, geolocations, and other browsing-related information."
Notably, when the Wardle uploaded the separated binaries of GoSearch22 to VirusTotal, he found that detections of the arm64 version were about 15% lower than the x86_64 version. This means that some defensive security tools may not detect the malware targeting M1 users.
More details in the full report linked below...
Read More